Clam AntiVirus (commonly ClamAV) is a free, cross-platform and open-source antivirus software toolkit able to detect many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner.

Despite the myth, Linux operative systems do get troubled with Virus. They can take down your website, steal data from your database, provoke downtime and havoc. If running email servers, an anti-virus should always be present to prevent the spread of malicious files and other scams.

To install ClamAV on CentOS, we must first install the EPEL repository (Extra Packages for Entreprise Linux). This repository is a free community based repository from the Fedora team which provides 100% high quality software packages for Entreprise Linux distributions such as RHEL (Red Hat Entreprise Linux), CentOS and Scientific Linux.

Preflight & ClamAV Installation Steps

Preparing your installation

Let’s start checking if our system is up-to-date:

yum update -y
Code language: Bash (bash)

And next lets install the EPEL repository:

yum install -y epel-release
Code language: Bash (bash)

Entreprise Linux systems have SELinux (Security Enhanced Linux) installed by default. Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

SELinux supports three states:

  • Enforcing – SELinux policy is enforced;
  • Permissive – SELinux prints warnings and logs instead of enforcing;
  • Disabled – No SELinux policy is loaded;

SELinux should be enabled on all production servers. For debugging purposes we will set this to Permissive.

Let’s start by check the SELinux status:

Code language: Bash (bash)
Code language: Bash (bash)

To change the SELinux state persistently we edit its config file and reboot afterwards. The config file is located at /etc/selinux/config

vim /etc/selinux/config
Code language: Bash (bash)
file content
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
Code language: Bash (bash)

If your SELinux state is other than disabled, you must enable antivirus_can_scan_system so ClamAV can access all files on disk and update its definition files:

setsebool -P antivirus_can_scan_system 1
Code language: Bash (bash)

This step is required as SELinux will block access to the files required for ClamAV to operate.

If not, you may be confronted with errors such as:

During database load : LibClamAV Warning: RWX mapping denied: Can't allocate RWX Memory: Permission denied
Code language: Bash (bash)

Installing ClamAV

Next lets install ClamAV with the following command:

yum -y install clamav-server clamav-data clamav-update clamav-filesystem clamav clamav-scanner-systemd clamav-devel clamav-lib clamav-server-systemd
Code language: Bash (bash)

Configuring the ClamD daemon

First we must enable the clamd configuration file located in /etc/clamd.d/scan.conf

The following commands will perform the following:

  • enable the configuration file
  • configure the correct directory for the socket
  • set the ClamAV user
sed -i '/^Example/d' /etc/clamd.d/scan.conf sed -i 's,LocalSocket /var/run/clamd.<SERVICE>/clamd.sock,LocalSocket /var/run/clamd.scan/clamd.sock,g' /etc/clamd.d/scan.conf sed -i 's, User <USER>,User clamscan,g' /etc/clamd.d/scan.conf
Code language: Bash (bash)

Enable Freshclam

Freshclam helps keeping the ClamAV database up-to-date. To enable it, we must enable as well.

Perform the following commands:

cp /etc/freshclam.conf /etc/freshclam.conf.bak sed -i 's/^Example/d' /etc/freshclam.conf
Code language: Bash (bash)

As we don’t get a service file to enable Freshclam to run as daemon, so we must create one:

touch /usr/lib/systemd/system/clam-freshclam.service vim /usr/lib/systemd/system/clam-freshclam.service
Code language: Bash (bash)

Paste the following content:

# Run the freshclam as daemon [Unit] Description = freshclam scanner After = [Service] Type = forking ExecStart = /usr/bin/freshclam -d -c 4 Restart = on-failure PrivateTmp = true [Install]
Code language: Bash (bash)

To start the service while enabling it to start automatically:

systemctl enable --now clam-freshclam
Code language: Bash (bash)

You can verify the status of the freshclam service by running the following command:

systemctl status clam-freshclam
Code language: Bash (bash)
● clam-freshclam.service - freshclam scanner Loaded: loaded (/usr/lib/systemd/system/clam-freshclam.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2018-01-08 18:40:52 BST; 1h 59min ago Main PID: 979 (freshclam) CGroup: /system.slice/clam-freshclam.service └─979 /usr/bin/freshclam -d -c 4 Jan 12 18:40:52 systemd[1]: Starting freshclam scanner... Jan 12 18:40:52 freshclam[979]: freshclam daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jan 12 18:40:52 freshclam[979]: ClamAV update process started at Mon Sep 23 18:40:52 2019 Jan 12 18:40:52 freshclam[979]: main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Jan 12 18:40:52 systemd[1]: Started freshclam scanner. Jan 12 18:40:52 freshclam[979]: daily.cld is up to date (version: 25581, sigs: 1776056, f-level: 63, builder: raynman) Jan 12 18:40:52 freshclam[979]: bytecode.cld is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg) Jan 12 18:40:52 freshclam[979]: --------------------------------------
Code language: Shell Session (shell)

Now, finally, we simply have to enable the clamd@scan service, which will invoke the clamd@.service that requires no alterations.

systemctl enable --now clamd@scan
Code language: Bash (bash)

And to verify the status of the clamd@scan service:

systemctl status clamd@scan
Code language: Bash (bash)
● clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled) Active: activating (start) since Mon 2018-01-08 19:20:51 BST; 1h 0min ago Docs: man:clamd(8) man:clamd.conf(5) Control: 1171 (clamd) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─1171 /usr/sbin/clamd -c /etc/clamd.d/scan.conf Jan 12 19:20:51 systemd[1]: Starting Generic clamav scanner daemon... Jan 12 19:20:51 clamd[1171]: Received 0 file descriptor(s) from systemd. Jan 12 19:20:51 clamd[1171]: clamd daemon 0.101.4 (OS: linux-gnu, ARCH: x86_64, CPU: x86_64) Jan 12 19:20:51 clamd[1171]: Running as user clamscan (UID 994, GID 988) Jan 12 19:20:51 clamd[1171]: Log file size limited to 1048576 bytes. Jan 12 19:20:51 clamd[1171]: Reading databases from /var/lib/clamav Jan 12 19:20:51 clamd[1171]: Bytecode: Security mode set to "TrustSigned".
Code language: Shell Session (shell)

Should you have any questions left regarding this article, or if you want to discuss this article with other users, please leave a comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts